active directory and nt kerberos rooster jd glaser

Active Directory and

NT Kerberos

Rooster

JD Glaser

Introduction to NT Kerberos v5

• What is NT Kerberos?

• How is it different from NTLM

• NT Kerberos vs MIT Kerberos

• Delegation and Client Authentication

• What does NT Kerberos look like on the wire?

• KTNet - A native NT Kerberos telnet server

What is NT Kerberos

• NT’s new authentication system

• MIT Kerberos v5 - an Open Standard

• Kerberos is the default authenticator in W2K domains

• NTLM still used for compatibility– usually the weakest version

How is it different from NTLM

• Doesn’t use a password hash system

• Requires fewer authentication calls

• More sophisticated - Yes

• More secure? - Possibly in pure mode– Backwards compatibility hinders it– NTLM v2 is strong in pure mode as well

NT Kerberos

• Integrated with platform• Locates KDC via DNS - DNS server required for

install• No support for DCE style cross-realm trust• No “raw” krb5 API• Postdated tickets (not implemented)• Uses authdata field in ticket

Windows 2000 Kerberos standards

• RFC-1510

• Kerberos change password protocol Kerberos set password protocolRC4-HMAC Kerberos Encryption type

• PKINIT

Kerberos Interoperability Scenarios

• Kerberos clients in a Win2000 domain

• Kerberos servers in a Win2000 domain

• Standalone Win2000 systems in a Kerberos realm

• Using a Kerberos realm as a resource domain

• Using a Kerberos realm as an account domain

MIT Kerberos DifferencesWin2000• Clients

– Just logon

– Just logoff

– Domain membership

– Example app: everything

• Servers– Use computer account

via SCM

MITMIT ClientsClients

User logon with User logon with ‘kinit’‘kinit’

User logoff with User logoff with ‘kdestroy’‘kdestroy’

Configured with Configured with /etc/krb5.conf/etc/krb5.conf

Example app: Example app: telnettelnet

ServersServers Do not logon – use Do not logon – use

saved keys from saved keys from keytabkeytab

Using Kerberos clientsCustomer wants to have its non-windows

Kerberos users use their Win2000 accounts

Setup the /etc/krb5.confSetup the /etc/krb5.conf Users kinit with their Users kinit with their

Win2000 accountWin2000 account

Windows 2000 Server

nt.company.com

Unix workstation

Using Kerberos serversCustomer wants to user their Kerberos enabled

database server in an n-tier application front-ended by IIS

/etc/krb5.conf on /etc/krb5.conf on database serverdatabase server

Create service account in Create service account in domaindomain

Use ktpass to export a Use ktpass to export a keytabkeytab

Copy keytab to database Copy keytab to database serverserver

IIS server is trusted for IIS server is trusted for delegationdelegation

nt.company.com

Windows 2000 IIS Server

Unix Database

Server

Windows 2000 Wks

Kerberos realm as an account domain

• User logon with Kerberos principal• User has shadow account in an account domain (for

applying authz)• Mapping is used at logon for domain identity

User@MIT.REALM.COM

MIT.REALM.COM win2k.domain.com

Domain trusts realm users

comp$@win2k.domain.com

user@win2k.domain.com (user@MIT.REALM.COM)

Standalone Win2000 computersAn employee has a Win2000 computer that they want to

use in a Kerberos realm

Configure system as Configure system as standalone (no standalone (no domain)domain)

Use Ksetup to Use Ksetup to configure the realmconfigure the realm

Use Ksetup to Use Ksetup to establish the local establish the local account mappingaccount mapping

Logon to Kerberos Logon to Kerberos realmrealm

Win2000

Linux/Unix

MIT.REALM.COM

Trusting a Kerberos realm• Win2000 users accessing services in Kerberos

realms

• Kerberos users accessing services in domains

DomainDomain

DomainDomain DomainDomain

DomainDomain

Explicit Windows NT 4.0-style trustExplicit Windows NT 4.0-style trust

DomainDomain

microsoft.commicrosoft.com

europe. microsoft. comeurope. microsoft. com

Kerberos trustKerberos trust

fareast. microsoft. comfareast. microsoft. com

Windows 2000 Domain Trusts

Kerberos realmKerberos realm

Explicit Kerberos trustExplicit Kerberos trust

Shortcut trustShortcut trust

Cross-domain Authentication

Windows 2000 Professional Windows 2000 Server

west.company.com east.company.com

company.com

KDC KDC

11TGTTGT

22TGTTGT 33

TGTTGT

44TICKETTICKET

srv1.east.company.com

Using Unix KDCs withWindows 2000 Authorization

Win2000 Professional Windows 2000 Server

COMPANY.REALM nt.company.com

MITKDC

Windows 2000KDC

11TGTTGT

22TGTTGT

Name Mapping Name Mapping to NT accountto NT account

33TICKETTICKET

44TICKETTICKET

With NT With NT Auth DataAuth Data

NT Kerberos vs MIT Kerberos

• NT caches the password for ticket renewal

• It’s not certain whether NT uses ticket caching tracking stolen ‘replay’ tickets

Kerberos v5 Ticket Details

Delegation and Client Authentication

NT Kerberos On The Wire

Thank you

Rooster, rooster@attrition.org

JD Glaser, jd.glaser@foundstone.com

Appendix

• John Brezak, PM - Microsoft– Kerberos Talk - MTB ‘99